Clues that revealed a serious security breach of Neiman Marcus customers’ credit cards unfolded over the holidays as thieves were probably buying gifts.

Dallas-based Neiman Marcus disclosed late Wednesday that 1.1 million credit and debit cards used at its stores may have been compromised in last year’s malware security breach.

The theft occurred through malware that collected payment card data from July 16 to Oct. 30. Fraudulent purchases began to show up in December during the thick of the holiday shopping season.

The malicious software has been disabled.

Visa, MasterCard and Discover have found 2,400 cards belonging to customers of Neiman Marcus and Last Call clearance centersthat were used fraudulently, the company said.

CEO Karen Katz apologized to customers in a letter published on its website.

“We deeply regret and are very sorry that some of our customers’ payment cards were used fraudulently after making purchases at our stores,” Katz said in the online letter.

The company said it first learned that malware had been installed on its system on Jan. 1, when it was notified by a forensics firm. In mid-December, Neiman Marcus had been notified by its payment processor that some potentially unauthorized card activity had occurred after customers made purchases at its stores.

“Our goal is to do everything possible to restore your trust and to earn your loyalty,” Katz said in the letter. “We aim to protect your personal and financial information. We want you always to feel confident shopping at Neiman Marcus, and your trust in us is our absolute priority.”

In a letter to Sen. Richard Blumenthal, D-Conn., dated Wednesday, Neiman Marcus chief information officer Michael Kingston outlined how the company learned about the breach.

The letter was a response to Blumenthal’s recommendation that Neiman Marcus should provide free credit-monitoring and identity theft insurance to all its customers.

Friday the 13th

On the evening of Friday, Dec. 13, Neiman Marcus was notified by its processor that Visa had identified an unknown number of fraudulentcredit card uses. The cards had a common link: They had all been used at a small number of Neiman Marcus stores.

On Dec. 17, the company received a report from MasterCard that 122 cards used at one Neiman Marcus store had later been used fraudulently. Additional reports came in from Visa and MasterCard over the next couple of days.

On Dec. 29, Neiman Marcus hired a second forensic firm, Stroz Friedberg, to independently investigate whether the retailer’s system had been compromised.

The first firm discovered the malware on New Year’s Day. The malware was complex, and its output of data was encrypted. It took a few days to untangle the algorithm and create a script that would disable it. The malware was discovered in additional stores on Jan. 6. It was disabled by Jan. 10.

As of this week, no fraudulent activity has been identified with the private-label cards of Neiman Marcus or Bergdorf Goodman, which has two stores under the Neiman Marcus umbrella, as a result of the malware, the company said.

The retailer is notifying all customers who shopped at its stores since January 2013. It’s also offering one free year of credit-monitoring and identity theft protection to anyone who shopped at its stores over the past year. That’s three times the number of people who may have been exposed, Neiman Marcus spokeswoman Ginger Reeder said.

As a leading luxury department store, Neiman Marcus caters to wealthy and financially savvy shoppers. So far, customers have reacted positively to how it has handled the situation, Reeder said.

Neiman Marcus has only accepted Visa and MasterCard debit and credit cards for a couple of years. Before November 2011, customers paying with credit were limited to using the company’s branded cards or American Express.

Through its 30-year-old InCircle loyalty program, Neiman Marcus has a close relationship with its best customers.

In 2012, about 40 percent of its annual sales came from the 144,000 InCircle members who achieved reward status. These members spend 17 times more annually than its other customers.

What thieves didn’t get

So far, the company said it has learned that no Social Security numbers or birth dates were stolen. Online shoppers don’t appear to have been affected. PIN numbers weren’t at risk because the retailer doesn’t use PIN pads in its stores.

Neiman Marcus said it has no knowledge of any link to the Target Corp. breach, which occurred during the key holiday shopping season. Hackers stole about 40 million credit and debit card numbers from Target customers and may have gotten personal information, such as email and home addresses, from as many as 70 million customers.

Dallas-based iSight Partners, a global cyber intelligence firm, has been working with the U.S. Secret Service and the Department of Homeland Security to track the cyber scammers. In a report published this month, iSight said that the Target security breach was probably part of a broader scam and that additional retailers may have been affected.

No other chains have disclosed a breach to their customers yet.

“For over a century, our company’s mission has been dedicated to delivering exceptional service to each of our customers, and responding properly to this attack is our top priority,” Katz said.

To post a comment, log into your chosen social network and then add your comment below. Your comments are subject to our Terms of Service and the privacy policy and terms of service of your social network. If you do not want to comment with a social network, please consider writing a letter to the editor.